Windows 2008 - AD LDS - WebSphere 7.0.0.7

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3288
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1348
Roger French	1311
mark.cook	1244

John Costa

Veteran Member

Posts: 154

2/22/2010 6:45 PM

Has anyone successfully implemented AD LDS on a 2008 box? Mroe specifically, have you run into any problems using the Schema Editor on the 9.1.0.5 environment running WebSphere 7.0, fix pack 7? I have run into an issue that I am unable to resolve on my own.

Here's what I got:

Windows Server 2008, Enterprise Edition, 32-bit
IBM WebSphere 7.0, fix pack 7
Microsoft Active Directory - Lightweight Directory Services (AD-LDS)
Lawson Environment 9.0.1.5, patched to 9.0.1.5.353

Here's the problem. Using the Lawson Schema Editor, I am able to define attributes and save them to the local LDAP repository on the server. However, whenever I try to add that attribute (e.g., Region) to a resource (e.g., Person), I get a "500 Internal Server Error" and I am forced to close the Schema Editor. No errors are generated in the Lawson logs. However, if I review the Websphere logs for my application server, I find several java errors get generated, beginning with the following:

com.ibm.ws.webcontainer.servlet.ServletWrapper service SRVE0068E: Uncaught exception created in one of the service methods of the servlet LsGate in application LAWAPPS-lawsec. Exception created : javax.servlet.ServletException: Got exception while processing request. Nested Exception is com.lawson.lawsec.authen.SecurityAuthenException: Got exception while processing request Stack Trace : com.lawson.lawsec.authen.SecurityAuthenException: Got exception while processing request

I'm guessing it's a security or authentication issue of some kind, but I don't know. I've gone through this environment install three times on this box thinking that I've made some sort of error along the way, but everything I can see shows a correct installation. So I have to believe the problem is elsewhere. I've exhausted everything I can think of and Lawson won't help since they beleive it's an environment installation issue.

Can any gurus out there help?

Jimmy Chiu

Veteran Member

Posts: 641

2/25/2010 7:37 PM

My developer lawson servers:

Windows 2008 Enterprise x64
WebSphere 7.0 FP7
Windows 2008 ADLDS
ENV: 9.0.1.5.353

I have no problem defining attribute and adding attribute to resources via RM Schema Editor. Are you using IIS?

John Costa

Veteran Member

Posts: 154

2/26/2010 2:16 PM

We are using IBM HTTP Server. Here's all I've been able to figure out. All the Schema Editor does is modify the %LAWDIR%\RmMeta_Default.xml file. Like I said, I can define attributes using the Schema Editor all day long; it's only when I try to add that attribute to a resource that it blows up. That leads me to believe it's some sort of Java error rather than a security error as originally thought. I've checked all of my system environment variables as well as those defined within the application servers of WebSphere and everything appears to fine.

I finally resorted to modifying the RmMeta_Default.xml file manually to define and add the attributes I needed. I then created the necessary ldif files and imported them into my LDAP with no errors. So at least I have a work-around. However, the original problem still exists.

Jimmy Chiu

Veteran Member

Posts: 641

2/26/2010 3:14 PM

The 500 error indicates it's your IBM HTTP server configuration issue. The HTTP server barks at the requested transaction. I remember I ran into some of those issues with the websphere plugin configuration settings with Windows 2008.

Another thing you may want to check is the file security for your %lawdir%\system. Rerun permsmaint and check your %lawdir$\system folder security. Does the account you use in Schema editor has "F" access to this folder? You can check the %lawdir%\system\ladirs.cfg to verify. The schema editor account should be in the lawdev user group also.

John Costa

Veteran Member

Posts: 154

2/26/2010 5:54 PM

Jimmy - First, thanks for your assistance. I do appreciate it as I feel Lawson has left me out in the cold on this one.

I did run into some issues trying to get my http.conf file set correctly. I believe it's good to go now as everything else works (Portal, Employee / Manager Self-Service, Design Studio, Security Administrator, etc.). If you'd be willing to review my file or compare it to yours, I'd be more than happy to send it to you.

As far as the permmaint utility, to my knowledge it has never been run / executed on any of our environments up until now. We've just made sure the user group defined for Lawson users has full access to %LAWDIR% and %GENDIR%. In the case of my LDAP admin account, it's been added to the 'Administrators' group for the server and has full access.

Can you provide any other suggestions or things I can look at?

Jimmy Chiu

Veteran Member

Posts: 641

2/26/2010 6:31 PM

check your file security for RmMeta_default.xml

it should be something like this:
SYSTEM (full control)
(Read & Execute, Read, Write)
Administrators (full control)
Users (Read & execute, read)

I remember I ran into some issues with %lawdir%\system security. If you browse thru some fo the files, you will see your LAWDEV group are assigned to some of them also via permsmaint. (The security level you chose when you apply permsmaint should be the same as your environment security) Are you using "3" for security?

John Costa

Veteran Member

Posts: 154

2/26/2010 7:37 PM

Jimmy - Here are my security settings for RmMeta_Default.xml:

SYSTEM - Full control
Administrators - Full Control
Users - Full Control

The local LDAP administrator account I created as part of the LSF9 core install is a member of the Administrators group. An like I mentioned earlier, I've never run the permsmaint utility. We've never run it on any of our systems in the past and it's never caused an issue. Are you thinking it might be causing an issue in this particular case?

Jimmy Chiu

Veteran Member

Posts: 641

3/1/2010 4:38 PM

What's the "Users Group" you have listed under laconfig in security tab? I think it's file security issue assuming your webserver+plugin are configured properly. I have run into file security issue alot at first when i started to use WIN2008.

Jimmy Chiu

Veteran Member

Posts: 641

3/1/2010 4:46 PM

Are you using Windows 2008 SP2 or Windows 2008 R2? I could not get Lawson environment running right on Windows 2008 R2.

John Costa

Veteran Member

Posts: 154

3/2/2010 12:45 PM

PROBLEM RESOLVED! Based on some suggestions provided by someone with more experience than me, I removed IBM WebSphere Fixpack 7, essentially "downgrading" my WebSphere and HTTP Server products back to version 7.0.0.0. After a server reboot, everything works like it should. Apparently there must be something in fix pack 7 that does not play well with Java. Who would've thought it? A software "fix" that "breaks" the software!

Jimmy Chiu

Veteran Member

Posts: 641

3/2/2010 5:09 PM

Hmm I am on fixpack 7 and I don't have the problem though. Maybe it's related to FP7 and IBM HTTP server? Since the only difference is I use IIS and you use IBM HTTP Server.

Xin Li

Veteran Member

Posts: 133

7/29/2010 1:42 PM

Jimmy and John,

We are planning to upgrade to 9.0.1 and using AD LDS as LDAP. What are the difference to setup AD LDS instance and ADAM instance?

Appreciate for your help.

Jimmy Chiu

Veteran Member

Posts: 641

8/6/2010 5:08 PM

Not much differences. ADLDS is renamed ADAM. Simple as that. There's only one slightly different way to add container as superior to Organization if I remember correctly. The rest is the same.